1. Field
One feature generally relates to detection of malicious code in software systems, and more particularly, to methods and devices that detect return-oriented programming exploitation in software systems.
2. Background
Computing systems executing software are under a growing array of attacks from attackers commonly referred to as hackers. These attackers have found ways to insert malicious code into a computing system, and then cause the computing system to execute the malicious code. The malicious code may perform many different operations, such as, cause the computing system to run slower than normal, monitor activity on the computing system, cause the computing system to transmit or receive information that a user may not want communicated, corrupt data in persistent and non-persistent memory, and crash the computing system.
Recently attack mechanisms sometimes called Return-Oriented Programming (ROP) exploits have been proposed. One class of ROP exploit is often referred to as a return-to-libe attack because it uses a standard C library resident in many software systems. An ROP exploit is a powerful technique that allows the attacker to exploit valid code sequences in software programs without injecting any new malicious code into the processor's address space. Small snippets of valid code sequences, often referred to as gadgets, may be found by the attacker, then strung together to form new malicious code sequences, thereby sidestepping defenses against code injection.
In ROP exploits, the small code snippets are portions of code that end with a return instruction. When a function is called, an address of the instruction after the call is pushed onto a stack as an address to return to after the called function completes. Thus, the stack may include many return addresses for the processor to jump to when called functions complete. If the attacker can write information to the stack, the attacker can overwrite an intended return address with a malicious return address. This return address may be to one of the gadgets identified by the attacker.
By manipulating multiple return addresses, the attacker controlling the call stack can chain multiple gadgets together to create a malicious code sequence without ever injecting any new code into the processor's address space. Through a choice of these malicious code sequences and their arrangement, the attacker can induce arbitrary (yet still Turing-complete) behavior for a malicious program composed of the string of gadgets. This type of attack is successful because in most systems code and data addresses are predictable. That is, attackers can load particular code in their own computer, view their stack to determine how the code is being loaded, and use this information to exploit the return stack when such code is loaded in a target computer. Such attack may generally rely on code being loaded the same way across different computers.
Therefore, there is a need for robust counter-measures that can detect exploitation of vulnerabilities in stacks and perform remedial actions when such exploitations are detected.